Not hating on VR but it’s still a far cry from a holodeck.

I mean, that image is pretty rude, too.

What’s stored is hash(password). Then the password check is stored == hash(entered).

Hash(x) will be the same length, regardless of what x is. What that length is depends on which hash function it is. So the database can set the length of its storage for each user’s password to the length of the hash and the hash function will take any size password.

Until they remove checking that reg key from all versions other than maybe enterprise. If they decide that running windows requires an MS online account, they can keep bumping up the difficulty of running it without whenever they want.

Which suggests to me that MS stores plaintext passwords. Because a hash function doesn’t care about the length of what it’s hashing, the output will always be the same length, so they could verify a 300 character password with the same storage space as a 3 character password.